Overview
The Digital Personal Data Protection Rules, 2025 create the practical framework for implementing India’s data privacy regime under the DPDP Act, 2023. The Rules require organizations (“data fiduciaries”) to obtain clear and informed consent, provide transparent privacy notices, limit data use to specified purposes, implement security safeguards, and enable individuals to exercise rights over their personal data.
The Rules introduce requirements for reporting personal data breaches, managing consent withdrawal, retaining and deleting data appropriately, and protecting children’s data through verifiable parental or guardian consent. They also regulate cross-border transfers of personal data and establish operational procedures for the Data Protection Board of India to oversee compliance, investigate violations, and address grievances.
Implementation is phased over multiple years, allowing organizations time to adapt compliance programs, governance processes, and technical controls. Overall, the Rules aim to strengthen privacy protection, accountability, and responsible digital data use while balancing individual rights with legitimate data processing needs in India’s digital economy.